Decommission ADFS: How to switch from ADFS to Password Sync for Office 365

Recently, two new methods for Office 365 SSO have become available: Azure AD Seamless SSO, and Azure AD Domain Join. Active Directory Federation Services (ADFS) had (and still has) its place within Office 365 environments, but it is not nearly as attractive and easy to use as the new methods.

Planning

Any client (Office, Outlook, OneDrive, Skype for Business, Mobile Devices, etc…) configured may prompt users for a password the first time after the change.

Skype is notorious for poorly handling this change. Skype may be unable to sign in after the change.

Troubleshooting steps should include rebooting and clearing the MicrosoftOffice entries from the Windows Credential Manager.

During the cutover, users may be unable to login until passwords synchronize.

Timing considerations:

Microsoft states that it can take up to 2 hours for your domain to be fully converted from Federated (ADFS) to Standard (Password Sync). In my experience it takes roughly 30 minutes, but plan for the full 2 hours to be safe.

After the domain is converted from Federated, a password sync will need to run which also takes significant time depending on your user count.

Given these issues, be sure to communicate with your end users and plan to do this during an acceptable change window.

Cutover

The old way to cutover was using PowerShell and DirSync (or Azure AD Sync). You would have to convert each domain in use with ADFS from “federated” to “standard,” and temporarily set a password for each user. Then DirSync or Azure AD Sync would need to be configured with Password sync to begin syncing passwords from your local AD. Directions for this are listed at the bottom under Manual Cutover, however I recommend you follow the Cutover using Azure AD Connect instructions as it performs many steps for you and shortens the downtime. Either method works for ADFS 2.0 (Server 2008) and above.

Cutover Using Azure AD Connect

Ensure you have Azure AD Connect installed and configured before starting.

Open the Azure Active Directory Connect application from the start menu (or desktop).

Click Configure.

Select Change user sign-in and click Next.

Enter Global Administrator credentials for your Azure AD (Office 365). These credentials are only to authenticate, and are not used or cached after this initial configuration.

On the next screen, ensure that Federation with AD FS is preselected. If not, then Azure AD Connect is not setup to configure ADFS for you. Instead, you will need to exit and follow the Manual Cutover steps at the bottom of this article.

Either select Password Synchronization or Pass-through authentication, depending on which route you have chosen.

Leave Do not convert user accounts unchecked.

If you are looking to use Azure AD Connect for Single Sign On, check Enable single sign-on. Click Next.

If you chose Enable single sign-on, enter your domain admin credentials on the next screen to continue. If not, skip to step 8.

Finally, ensure the Start the synchronization process when configuration completes box is checked, and click Configure. Passwords will start synchronizing right away.